DDoS Mitigation: Tips to Defend

A distributed denial of service (DDoS) attack is one of the most devastating attacks in today’s business world. It often involves a large number of computers being attacked by a heavy flow of traffic. Complex attacks may last for hours or days or a few minutes, depending on the intent of the attacker. The breach involves multiple compromised systems working with a motive to shut down service. They will make the entire or part of the network, or server, or website useless during the attack. If you’re involved in securing IT infrastructure or network operations, you would certainly know that denial of service (DoS) or DDoS attacks are a huge problem which is not going away soon. Recent studies indicate that almost 75–80% of organizations have suffered at least one such attack over the past 12 months in just 2018 alone; 2019 promises to be much meaner [1].

These attacks have become significantly distributed, contain high volumetric traffic, extremely difficult to detect and block as well as impact not just the network or servers but even the hosted applications of the IT infrastructure.

A DDoS attack can block the website or server from rendering the services by sending huge traffic from different parts of the world. For financial institutions, it becomes extremely tough as it obstructs the transactions or impacts the bank-to-bank transactions.

The DDoS attacks during the first half of 2018 recorded a 111% increase in the attack peak size compared to 2017.—Verizon’s DDoS Trends Report [2]

Verizon’s DDoS Trends Report Observed [1]

What Is a DDoS Attack?

DoS attack is an attempt to make a machine or network resource unavailable to its intended users. This is done to temporarily or indefinitely interrupt or suspend services of the target host connected to the Internet.

It can be a simple attack for short duration, or server hacktivism, or an act of revenge, and can lead to minor annoyance or huge long-lasting business loss in terms of data or financially. It is aimed to turn the targeted server or website completely unresponsive.

DDoS attacks have the attack source more than one, often thousands of end-user systems and devices globally, each having a unique IP address. The attacker takes control of thousands or millions of computers across the world, owned by end user like you and me or even systems of multiple enterprises who are not aware of the malicious activity been performed through their device. The attacker turns individual computers into “BOTS” or “Zombie computers” and uses them to send a simple request to a particular website or specific page. On receiving huge traffic for the same request, the targeted server or website gets bogged down, and thus, the attacker succeeds in his intention.

Mitigate DDoS Attacks the Right Way!

DDoS mitigation is high on the priority list for enterprise security teams. Although the information security and defending techniques are becoming sophisticated, so are hackers. Below are a few defensive techniques to mitigate the DDoS attacks.

Reduce Attack Surface Area

Attack surface is the sum total of resources exposed to exploit within your enterprise. DDoS attacks can be limited by restricting the opportunities available for cybercriminals to attack. This involves eliminating unnecessary complexities like mistakes in technical policy having duplicate or redundant rules in networks, overly excessive access permissions, segmenting the network infrastructure, controlling end-point access, and performing analytics on security configuration assessments, traffic flow analysis, and quantitative risk scores.

Patch Systems

Always ensure to have Internet facing systems with latest software updates and security patches and hardened before connecting to production environments. These include network devices and server operating systems as well as hosted applications.

Segregation and Distribution of Access

Always segment the network to ensure external edge devices having inbound traffic and hosted data and information are distributed so it becomes harder to reach and attack. Use of content delivery network (CDN) and point of presence (PoP) ensures that there is no single point of congestion when attackers focus on single target during DDoS attacks. CDNs distribute content and boost performance in part by minimizing the distance between website visitors and the hosted content. Stored cached versions of content in multiple locations are located on PoPs with PoP containing multiple caching systems that deliver content to nearby visitors to the web application.

Cloud-Based Scrubbing Services

This involves diverting the attacker’s traffic which is inbound and targeting an asset to the cloud scrubbing center. These are specialized service providers which detect and scrub the traffic. Diverting traffic requires changes to the underlying Border Gateway Protocol (BGP) routes that run the Internet using automation and ensuring the BGP tables are immediately broadcasted for the changed routes. Once the traffic has been checked and cleaned, Generic Routing Encapsulation (GRE) tunnels are built to reinject the legitimate traffic back to the protected organization.

Incident Response Planning

Having a proactive, always-on incident response (IR) plan can help you in getting prepared for uncertain cyberattack. This involves use of threat intelligence and threat hunting to prepare new and efficient ways of attack mitigations. Plan for what to do and who should execute and also do practical couple of times a year. Update your plan each time you do a dry run. You may also reach your vendors or team members and take their feedback. When you are prepared with an updated response plan, this will also develop the trust of your customers and those around you.

Second Line of Defense

Instill a second line of defense on your website by using analytics and intrusion detection along with a resilient network and web application firewall (WAF) against malicious attacks. WAF sits at the network level above your application like an antivirus and protects from DDoS attack. It also contributes to the application performance and user experience.

ISP Attack Mitigation Services

Ensure the ISP has the ability to define and apply challenges, filters, and rules to only the IP address that is under attack. It is not necessary or recommended to block all legitimate traffics destined to IP addresses which are not under attack or divert net blocks and preconfigure rulesets for every IP address that may come under attack.

Employee Security Awareness

Train your employees regularly on the various cyberattacks so that they can able to identify in the initial stages. Every new person should be trained on the dos and don’ts of the department. It is also critical to involve senior management in planning for DDoS preventive strategies. The poor security practices and lack of timely action may contribute a large to such attacks.

Segment your IoT devices

In order to reduce the possibilities of your IoT infrastructure being exploited in a DDoS attack, ensure that they are segmented dedicatedly behind a firewall. While the attacks are difficult to prevent, a DDoS response plan can minimize the impact on your organization’s firewalls.

Therefore, to deal with a challenge, practice, practice, and practice your IR plan. Having DDoS countermeasures with your ISP and hiring a specialized security vendor would be a preventive advice.

Certified Ethical Hacker (C|EH) is a certification from EC-Council that helps you to learn DDoS and other critical cyberattacks and different ways to combat them. This course will make you get into the shoes of a hacker so that you can understand the hacker’s mind-set and able to defend against any future attacks. You will be able to learn five phases of ethical hacking, ways to approach your target, and succeed in breaking them. C|EH is ANSI accredited and is mapped to the job roles as defined by the NICE framework. To know more about C|EH, visit https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/